Cisco Cisco Firepower Management Center 4000

C H A P T E R

21-1

FireSIGHT System User Guide

Managing Rules in an Intrusion Policy

You can use the Rules page in an intrusion policy to configure rule states and other settings for shared
object rules, standard text rules, and preprocessor rules.

You enable a rule by setting its rule state to Generate Events or to Drop and Generate Events. Enabling
a rule causes the system to generate events on traffic matching the rule. Disabling a rule stops processing
of the rule. Optionally, you can set your intrusion policy so that a rule set to Drop and Generate Events
in an inline deployment generates events on, and drops, matching traffic. See

Setting Drop Behavior in

an Inline Deployment, page 20-14

for more information. In a passive deployment, a rule set to Drop and

Generate Events just generates events on matching traffic.

You can filter rules to display a subset of rules, enabling you to select the exact set of rules where you
want to change rule states or rule settings.

You can generate rule state recommendations based on vulnerabilities associated with the hosts and
applications on your network and, optionally, update rules to reflect the recommended states.

See the following sections for more information:

•

Understanding Intrusion Prevention Rule Types, page 21-2

describes the intrusion rules and

preprocessor rules you can view and configure in an intrusion policy.

•

Viewing Rules in an Intrusion Policy, page 21-3

describes how you can change the order of rules on

the Rules page, interpret the icons on the page, and focus in on rule details.

•

Filtering Rules in an Intrusion Policy, page 21-10

describes how you can use rule filters to find the